This is my first post, so as you have probably guessed I am looking for some help.
Currently we have close to 1000 ksh scripts operating on HPUX servers that call either isql or bcp to connect to Sybase databases. Problem being that the db passwords are appearing in the job log of the scheduler which calls these scripts. I have been asked to come up with a solution to modify these scripts to stop them outputting these passwords.
The version of isql we are using is Sybase CTISQL Utility/12.5.1/P-EBF13182 ESD #12/DRV.12.5.1.4/hpux/HP-UX 11.11/BUILD1251-045/64bit/OPT/Thu Jan 12 20:44:52 2006
These scripts have been written by a plethora of different developers over the last 10-12 years, and the have set -o xtrace set at the beginning of the scripts to provide debugging information should one of these scripts fail. I have included a simple example of a typical script below, database user names and passwords are all stored as environmental parameters in env_params.ksh
I know that having xtrace set is causing this to happen, but my remit requires that the same level of debugging information should be available after I make my change.
After trawling the web I cam across this possible solution, moving the password from the isql command
This works from an isql standpoint but it still outputs the password, as the $DBPASSWORD still has to be evaluated. If I hardcode the actual password in the script (obviously not an option) the password doesn't appear in the script output. The next solution I have come up with is the following which turns off xtrace while the isql command is being run, and setting it back on once the commands has completed.
However it is a bit messy, and when you consider it has to be applied to nearly 1000 scripts, I am hoping that there maybe a simpler solution out there.
Thanks,
kdk
Last edited by Scott; 11-02-2010 at 08:43 AM..
Reason: Code tags, please...
You could write an isql wrapper also named isql, up-PATH, that knows the path of the real isql, and knows how to acquire the password and add it to the input stream.
It might also remove any -P parameters and re-exec (which isql should have been doing).
Thanks for the feedback DGPickett, I am not sure whether our Unix Admins would go for your suggestion.By any chance does anyone know if this problem would be resolved if we upgraded our version of isql to 15.0.2?
Any user can run any app with a modified PATH to pick up a modified command. It is not generally a security violation. SA's do it all the time, adding wrappers to commands. My ssh is a shell script calling ssh2! Here is a little ksh example:
The parentheses keep that PATH from spreading to other commands. File ~/my_isql_dir/isql is your isql wrapper, and knows the real isql is $real_isql.
Of course, with the support of the gods, you can move the original isql over to isql_real and put your script right there. You just need some way to decide when to add the password, like a reserved argument, perhaps '-P hidden_password', and otherwise just call isql_real. I doubt isql looks at argv[0] to ensure it is "isql", like gzip does (it is all one code for gzip, gunzip, gzcat).
Interestingly, you cannot do this stdin pretend interactive trick with ssh2, as it reads /dev/tty! (But there are stronger tricks!)
Hello everybody,
I need to modify 200 files using a patern matching, I would like to do it with sed but it's not working with the following syntax:
sed -e 's/DATABASE_PASSWORD.*oldpass/DATABASE_PASSWORD__', 'newpass/g' config.php
need to find:
define("__DATABASE_PASSWORD__", ... (6 Replies)
Dear All,
I am trying to write a script which will generate output to a file based on input files on basis of a pattern which I am able to do so. But, I am stuck as I am trying to connect this to database server. Below is my command and output details.
Input Code
filedate=$(date... (6 Replies)
RedHat Linux 5.8/Korn Shell
I have text file name /etc/oracle/config.loc. It has the following text
#Device/file getting replaced by device +OCR
ocrconfig_loc=+DATA
ocrmirrorconfig_loc=+OCRBut , when I open this file using cat , the PS1 character (for prompt) appears as the last character... (8 Replies)
Hi All,
I want to validate the Production Database password at the time of login through script. If incorrect password entererd by the user, the script will ask again for the password.
Below is the sample of my script...
#########################
# Unix Code Starts here #... (6 Replies)
Hi,
I have a sybase stored procedure which takes two input parameters (start_date and end_date) and when it get executed, it gives few records as an output.
I want to write a unix script (ksh) which login to the sybase database, then execute this stored procedure (takes the input parameter as... (8 Replies)
Hi,
I need to connect to DB through my shell script. but I dont want to hardcode my db password in the script. Is there a way to do it?
Thanks
---------- Post updated at 07:42 PM ---------- Previous update was at 04:54 PM ----------
:(Guys..please help me with this:( (1 Reply)
HI i need to delete an entry in /etc/security/passwd.
can't find a way to do it with userpw.h api ( AIX ).
the passwd file i delete like this.
Write all entrys to passwd file except the one we are removing.
can't find any function that works like getspent / getpwent do
in AIX userpw api.... (4 Replies)
I have an output from a database query on the unix standard output as under:
abc
dsagh
dsflsfds
dsfsdfsdfsd
sdf
sdfsd
sdfsd
sdfsdf
sdfsdfs
sdfsdf
sdfsdf
sdfsdf
sdfsdf
sdfsdf
sdfsdff
dsfsdf
sdfdf
sdf (8 Replies)
I am trying to locate a password database for use at work. I have looked at several open source packages but all that I have found are for a single user and we need to allow multiple user access with view restrictions.
Does anyone know of a program that fits these requirements?
Thanks... (2 Replies)